Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Accounts Framework WLAN' = '<SYSTEM32>\jfxmqpq.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Peer Detection Initiator Superfetch Search] 'ImagePath' = '<SYSTEM32>\jfxmqpq.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Peer Detection Initiator Superfetch Search] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\quuxaqhlzdt.exe' "<SYSTEM32>\jfxmqpq.exe"
- '%WINDIR%\Temp\iwjcho2kg4gbwkz.exe' -r 27833 tcp
- '%TEMP%\iwjcho2g56gbwkzcjhpsy5y.exe'
- '<SYSTEM32>\jfxmqpq.exe'
Modifies file system:
Creates the following files:
- <SYSTEM32>\onfwyduqb\run
- <SYSTEM32>\onfwyduqb\rng
- %WINDIR%\Temp\iwjcho2kg4gbwkz.exe
- <SYSTEM32>\onfwyduqb\cfg
- <SYSTEM32>\quuxaqhlzdt.exe
- %TEMP%\iwjcho2g56gbwkzcjhpsy5y.exe
- <SYSTEM32>\onfwyduqb\tst
- <SYSTEM32>\jfxmqpq.exe
- <SYSTEM32>\onfwyduqb\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\quuxaqhlzdt.exe
- <SYSTEM32>\jfxmqpq.exe
Deletes the following files:
- %WINDIR%\Temp\iwjcho2kg4gbwkz.exe
- <DRIVERS>\etc\hosts
- %TEMP%\iwjcho2g56gbwkzcjhpsy5y.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'ta###been.net':80
- 'le###een.net':80
- 'le###ext.net':80
- 'le###ook.net':80
- 'ta###next.net':80
- 'ca###ook.net':80
- 'po###next.net':80
- 'po###cook.net':80
- 'po###tall.net':80
- 'ca###all.net':80
- 'ta###cook.net':80
- 'we###ook.net':80
- 'fe###ext.net':80
- 'fe###ook.net':80
- 'fe###all.net':80
- 'we###all.net':80
- 'ta###tall.net':80
- 'le###all.net':80
- 'we###een.net':80
- 'we###ext.net':80
- 'fe###een.net':80
- 'fa###been.net':80
- 'so###again.net':80
- 'ri###een.net':80
- 'ri###ext.net':80
- 'fa###next.net':80
- 'so###sugar.net':80
- 'fi###sugar.net':80
- 'fi###pass.net':80
- 'fi###again.net':80
- 'so###pass.net':80
- 'fa###cook.net':80
- 'no###all.net':80
- 'no###ook.net':80
- 'ca###een.net':80
- 'ca###ext.net':80
- 'po###been.net':80
- 'fa###tall.net':80
- 'ri###ook.net':80
- 'ri###all.net':80
- 'no###ext.net':80
- 'no###een.net':80
- 'we###tart.net':80
- 'no###tart.net':80
- 'no###ine.net':80
- 'no###ever.net':80
- 'we###ine.net':80
- 'fa###never.net':80
- 'ri###ine.net':80
- 'ri###ever.net':80
- 'we###ing.net':80
- 'no###ing.net':80
- 'be##lxc.com':80
- 'mi###hown.net':80
- 'ab###ell.net':80
- 'mo###ugust.net':80
- 'cr#####onaraminta.net':80
- 'le###form.net':80
- 'al###being.net':80
- 'ri###nstorm.net':80
- 'ca####nbring.net':80
- 'mo###olor.net':80
- 'pr####tbottom.net':80
- 'li###all.net':80
- 'th###cook.net':80
- 'th###tall.net':80
- 'so###been.net':80
- 'fi###been.net':80
- 'th###been.net':80
- 'li###een.net':80
- 'li###ext.net':80
- 'li###ook.net':80
- 'th###next.net':80
- 'fi###next.net':80
- 'ri###ing.net':80
- 'fa###sing.net':80
- 'fa###start.net':80
- 'fa###nine.net':80
- 'ri###tart.net':80
- 'fi###cook.net':80
- 'so###next.net':80
- 'so###cook.net':80
- 'so###tall.net':80
- 'fi###tall.net':80
TCP:
HTTP GET requests:
- http://ta###been.net/index.php
- http://le###een.net/index.php
- http://le###ext.net/index.php
- http://le###ook.net/index.php
- http://ta###next.net/index.php
- http://ca###ook.net/index.php
- http://po###next.net/index.php
- http://po###cook.net/index.php
- http://po###tall.net/index.php
- http://ca###all.net/index.php
- http://ta###cook.net/index.php
- http://we###ook.net/index.php
- http://fe###ext.net/index.php
- http://fe###ook.net/index.php
- http://fe###all.net/index.php
- http://we###all.net/index.php
- http://ta###tall.net/index.php
- http://le###all.net/index.php
- http://we###een.net/index.php
- http://we###ext.net/index.php
- http://fe###een.net/index.php
- http://fa###been.net/index.php
- http://so###again.net/index.php
- http://ri###een.net/index.php
- http://ri###ext.net/index.php
- http://fa###next.net/index.php
- http://so###sugar.net/index.php
- http://fi###sugar.net/index.php
- http://fi###pass.net/index.php
- http://fi###again.net/index.php
- http://so###pass.net/index.php
- http://fa###cook.net/index.php
- http://no###all.net/index.php
- http://no###ook.net/index.php
- http://ca###een.net/index.php
- http://ca###ext.net/index.php
- http://po###been.net/index.php
- http://fa###tall.net/index.php
- http://ri###ook.net/index.php
- http://ri###all.net/index.php
- http://no###ext.net/index.php
- http://no###een.net/index.php
- http://we###tart.net/index.php
- http://no###tart.net/index.php
- http://no###ine.net/index.php
- http://no###ever.net/index.php
- http://we###ine.net/index.php
- http://fa###never.net/index.php
- http://ri###ine.net/index.php
- http://ri###ever.net/index.php
- http://we###ing.net/index.php
- http://no###ing.net/index.php
- http://be##lxc.com/index.php
- http://mi###hown.net/index.php
- http://ab###ell.net/index.php
- http://mo###ugust.net/index.php
- http://cr#####onaraminta.net/index.php
- http://le###form.net/index.php
- http://al###being.net/index.php
- http://ri###nstorm.net/index.php
- http://ca####nbring.net/index.php
- http://mo###olor.net/index.php
- http://pr####tbottom.net/index.php
- http://li###all.net/index.php
- http://th###cook.net/index.php
- http://th###tall.net/index.php
- http://so###been.net/index.php
- http://fi###been.net/index.php
- http://th###been.net/index.php
- http://li###een.net/index.php
- http://li###ext.net/index.php
- http://li###ook.net/index.php
- http://th###next.net/index.php
- http://fi###next.net/index.php
- http://ri###ing.net/index.php
- http://fa###sing.net/index.php
- http://fa###start.net/index.php
- http://fa###nine.net/index.php
- http://ri###tart.net/index.php
- http://fi###cook.net/index.php
- http://so###next.net/index.php
- http://so###cook.net/index.php
- http://so###tall.net/index.php
- http://fi###tall.net/index.php
UDP:
- DNS ASK ta###been.net
- DNS ASK le###een.net
- DNS ASK le###ext.net
- DNS ASK le###ook.net
- DNS ASK ta###next.net
- DNS ASK ca###ook.net
- DNS ASK po###next.net
- DNS ASK po###cook.net
- DNS ASK po###tall.net
- DNS ASK ca###all.net
- DNS ASK ta###cook.net
- DNS ASK we###ook.net
- DNS ASK fe###ext.net
- DNS ASK fe###ook.net
- DNS ASK fe###all.net
- DNS ASK we###all.net
- DNS ASK ta###tall.net
- DNS ASK le###all.net
- DNS ASK we###een.net
- DNS ASK we###ext.net
- DNS ASK fe###een.net
- DNS ASK fa###been.net
- DNS ASK so###again.net
- DNS ASK ri###een.net
- DNS ASK ri###ext.net
- DNS ASK fa###next.net
- DNS ASK so###sugar.net
- DNS ASK fi###sugar.net
- DNS ASK fi###pass.net
- DNS ASK fi###again.net
- DNS ASK so###pass.net
- DNS ASK fa###cook.net
- DNS ASK no###all.net
- DNS ASK no###ook.net
- DNS ASK ca###een.net
- DNS ASK ca###ext.net
- DNS ASK po###been.net
- DNS ASK fa###tall.net
- DNS ASK ri###ook.net
- DNS ASK ri###all.net
- DNS ASK no###ext.net
- DNS ASK no###een.net
- DNS ASK li###een.net
- DNS ASK no###ine.net
- DNS ASK we###tart.net
- DNS ASK we###ine.net
- DNS ASK be##lxc.com
- DNS ASK no###ever.net
- DNS ASK ri###ever.net
- DNS ASK fa###never.net
- DNS ASK no###ing.net
- DNS ASK no###tart.net
- DNS ASK we###ing.net
- DNS ASK mi###hown.net
- DNS ASK ab###ell.net
- DNS ASK mo###ugust.net
- DNS ASK cr#####onaraminta.net
- DNS ASK le###form.net
- DNS ASK al###being.net
- DNS ASK ri###nstorm.net
- DNS ASK ca####nbring.net
- DNS ASK mo###olor.net
- DNS ASK pr####tbottom.net
- DNS ASK ri###ine.net
- DNS ASK th###tall.net
- DNS ASK li###all.net
- DNS ASK fi###been.net
- DNS ASK fi###next.net
- DNS ASK so###been.net
- DNS ASK li###ext.net
- DNS ASK th###been.net
- DNS ASK th###next.net
- DNS ASK th###cook.net
- DNS ASK li###ook.net
- DNS ASK ri###ing.net
- DNS ASK fa###sing.net
- DNS ASK fa###start.net
- DNS ASK fa###nine.net
- DNS ASK ri###tart.net
- DNS ASK fi###cook.net
- DNS ASK so###next.net
- DNS ASK so###cook.net
- DNS ASK so###tall.net
- DNS ASK fi###tall.net
- '23#.#55.255.250':1900
